[Bug 574] New: nf_conntrack_ftp.c ignores RFC 1123 regarding parentheses in FTP passive mode message 227

Tue Feb 3 02:13:35 CET 2009

http://bugzilla.netfilter.org/show_bug.cgi?id=574

           Summary: nf_conntrack_ftp.c ignores RFC 1123 regarding
                    parentheses in FTP passive mode message 227
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: ip_conntrack
        AssignedTo: laforge at netfilter.org
        ReportedBy: mpost at novell.com

/net/netfilter/nf_conntrack_ftp.c specifically checks for parentheses
surrounding the IP address and port numbers in the FTP server 227 message. 
This results in "hung" FTP sessions when trying to use passive mode with FTP
servers that do not use parentheses in their 227 response.  This is the case
with IBM's FTP server for z/VM 5.x

RFC 1123 says:
The format of the 227 reply to a PASV command is not well standardized.  In
particular, an FTP client cannot assume that the parentheses shown on page 40
of RFC-959 will be present (and in fact, Figure 3 on page 43 omits them). 
Therefore, a User-FTP program that interprets the PASV reply must scan the
reply for the first digit of the host and port numbers.

While the RFC was intended to apply to FTP clients interpreting messages, it
should also be applied to the nf_conntrack_ftp kernel module as well, since it
is essentially performing the same function, but on behalf of more than one
user.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.